As specified in the license, the software is provided as-is with no guarantees whatsoever.

The latest release is the only supported version. Security patches will not be backported unless otherwise specified.

All repositories in the time-rs organization are included in this security policy. Other crates may link to this policy as a way of providing their own security policy, but the contact information may be different.

Security vulnerabilities are taken seriously. If you discover a security vulnerability, please report it by email using the email address on the maintainer's GitHub profile. Please do not disclose the vulnerability publicly until an opportunity has been given to investigate and release a patch.

When reporting a vulnerability, please include the following information if possible:

• A description of the vulnerability
• Steps to reproduce the vulnerability
• Any proof of concept code

After receiving notice of a potential vulnerability, it will be investigated to determine whether there is in fact a vulnerability. If it is determined that there is, a patch will be developed and released in a timely manner, keeping in mind that this is a volunteer project and that the work is being done in the maintainer's free time. After a patch is released, the vulnerability will be publicly disclosed, and the reporter will be credited if desired. A CVE and/or RUSTSEC advisory will be requested as appropriate.